What are your top ten security concerns, as it relates to a middle market corporate network. This would be a network of 250-500 computers, and roughly 5000-1,000 employee's. From the below noted list of projects could you rate for me please, what you would consider the top ten most important to you? For instance;

1. I need a way to test and roll out patches quickly and easily, and need more info about possible problems that might be encountered
2. I need a way to secure email and messaging from viruses and spam
3. I need to protect the confidentiality of email, especially in regulated industries
4. I need an easy way to configure all the components required for a remote access VPN to Windows RRAS server
5. I need to protect against internal threats, both inadvertent and deliberate, including leakage of confidential company info
6. I need a way to protect insiders from social engineering threats
7. I need a way to protect from employees developing "workarounds" for security measures in order to make their jobs more convenient
8. I need to secure my single Exchange Server
9. I need to monitor all the servers and workstations on my network and get Event Log information into a central location, without having to resort to third party apps
10. I need to configure the auditing of my users' file access and alert me of unusual activity
11. I need to configure our WAPs to support WPA and to configure the required supporting network infrastructure
12. I need a way to automatically wall off client computers from the rest of the network when they get infected with worms
13. I need a way to block spyware, malware, and malicious sites at the firewall and not depend on users' browser settings
14. I need a way to support smart card logon for remote access VPN connections, and some help figuring out what hardware and software is required to make it work
15. I need Windows Update/Microsoft Update to work for networks that use authenticating Web proxies
16. I need a way to be automatically notified when an untrusted computer is plugged into trusted network segments and disable that computer
17. I need to be able to easily provision new users, including account setup, group additions, and mailbox configuration
18. I need to be able to provide my users a way to securely reset their own passwords to reduce helpdesk calls
19. I need to provide my users with the ability to manage their own distribution and security groups for communications and permissions
20. I need to provide my partners with secure access to documents over the internet
21. I need to be able to "see" the overall level of security of my environment and get more information on (or remediate) any machines that are not up to our security standards
22. I need to secure laptops/mobile devices including pocket PCs and Smartphones
23. I need to secure a single SQL server
24. I need to provide single-sign-on capabilities for my users across both Windows and Unix/Linux machines
25. I need to consolidate directories between multiple applications/environments

Last edited by alt.don on Fri Nov 18, 2005 10:54 pm; edited 1 time in total

1. (21) I need to be able to "see" the overall level of security of my environment and get more information on (or remediate) any machines that are not up to our security standards
*This is my top pick because if you can't see an overall picture of your security, what good are any of the other options?

2. (1) I need a way to test and roll out patches quickly and easily, and need more info about possible problems that might be encountered
*Non-patched machines mean higher risk of exploits, spyware infection, virus infection, etc

3. (12) I need a way to automatically wall off client computers from the rest of the network when they get infected with worms
*This mitigates the risk of complete network infection.

5. (22) I need to secure laptops/mobile devices including pocket PCs and Smartphones
*Unsecure laptops and mobile devices are one of the highest threats to network security because of the lax, unenforced security policies that go along with them.

6. (23) I need to secure a single SQL server
*The SQL server may provide confidential client information (i.e. credit card and social security numbers) and needs to be locked down.

7. (18.) I need to be able to provide my users a way to securely reset their own passwords to reduce helpdesk calls
*End users cannot be writing down their passwords on sticky notes nor can they be using simple passwords like "hello". This is why the concept of least privileage must be highly enforced. A compromise to one account does not necessarily mean a compromise on the network.

8. (13) I need a way to block spyware, malware, and malicious sites at the firewall and not depend on users' browser settings
*Perimiter security is a must.

9. (8.) I need to secure my single Exchange Server
*E-mail confidentiality needs to be enforced to protect company secrets as well as highly classified information.

10. (2) I need a way to secure email and messaging from viruses and spam
*This too should be accomplished at the server/perimeter level, before the users get the message.

Another category I would add is diversity of defense. This means creating dissimilar layers of defense so that if an attacker knows how to bypass one layer, the next may not be quiet as simple.

Last edited by PhiBer on Mon Oct 17, 2005 3:17 am; edited 3 times in total

1. I need a way to test and roll out patches quickly and easily, and need more info about possible problems that might be encountered
2. I need a way to secure email and messaging from viruses and spam
9. I need to monitor all the servers and workstations on my network and get Event Log information into a central location, without having to resort to third party apps
10. I need to configure the auditing of my users' file access and alert me of unusual activity
22. I need to secure laptops/mobile devices including pocket PCs and Smartphone
20. I need to provide my partners with secure access to documents over the internet
12. I need a way to automatically wall off client computers from the rest of the network when they get infected with worms
13. I need a way to block spyware, malware, and malicious sites at the firewall and not depend on users' browser settings
14. I need a way to support smart card logon for remote access VPN connections, and some help figuring out what hardware and software is required to make it work

The biggie is the patch rollout - since the latest patch killed Norton, spysweeper and windows update. And it sux because I endorse the 'update frequently' policy and this patch has cost me thousands of dollars so far fixing machines at my clients sites.

1) 1. I need a way to test and roll out patches quickly and easily, and need more info about possible problems that might be encountered
2) 2. I need a way to secure email and messaging from viruses and spam
3) 5. I need to protect against internal threats, both inadvertent and deliberate, including leakage of confidential company info
4) 7. I need a way to protect from employees developing "workarounds" for security measures in order to make their jobs more convenient
5) 8. I need to secure my single Exchange Server
6) 9. I need to monitor all the servers and workstations on my network and get Event Log information into a central location, without having to resort to third party apps
7) 16. I need a way to be automatically notified when an untrusted computer is plugged into trusted network segments and disable that computer
8) 21. I need to be able to "see" the overall level of security of my environment and get more information on (or remediate) any machines that are not up to our security standards
9) 22. I need to secure laptops/mobile devices including pocket PCs and Smartphones

ok so it's only 9, but i could add about another 5 not on the list lol

Tony Bailey, Microsoft Security Solutions Product Manager here. I've been trying to validate a list of security priorities based on your input from the forum here on security-forums. This is what I have so far - in order of priorities - would really like to hear your thoughts. Is this accurate? Am I missing anything major? Are there duplicate items in the list that could be combined?

Thanks!

I need a way to block spyware, malware, and malicious sites

I need to be able to monitor the overall level of security of my environment and remediate any machines that are not up to security standards

I need a way to roll back patches quickly and easily, and need more info about possible problems that might be encountered

I need a way to secure email and messaging from viruses and spam

I need to be able to easily provision new users, including account setup, group additions, and mailbox configuration

I need to protect against internal threats, both inadvertent and deliberate, including leakage of confidential company info and employee workarounds

I need to provide my partners with secure access to documents over the internet

I need a way to automatically wall off untrusted or infected computers from the rest of the network

I need to secure my single Exchange Server

I need to be able to provide my users a way to securely reset their own passwords to reduce helpdesk calls

I need an easy way to configure all the components required for a remote access VPN to Windows RRAS server

I need to configure the auditing of my users’ file access and alert me of unusual activity

I need a way to roll out patches quickly and easily

I need to protect the confidentiality of email

I need a way to support smart card logon for remote access VPN connections, and help on what hardware and software is required to make it work

I need Windows Update/Microsoft Update to work for networks that use authenticating Web proxies

Last edited by secguide on Tue Dec 27, 2005 9:18 pm; edited 1 time in total

and
NOT
19. I need to provide my users with the ability to manage their own distribution and security groups for communications and permissions
rather
!19. I need to prevent my users from managing their own security groups ever, and I don't really trust them to manage distribution groups properly either.

I have included in the ten the priorities including things which might be already in place, so in some firms the "I need X" would be replaced with "I need to reliably maintain the operation of X".
It is hard to distinguish between the priority of getting something and the priority of keeping it. From a risk-management perspective the risk is of "not having it" so the two are equivalent, but it could be deemed more important to ensure that something you have come to rely on is truly reliable.